Target HVAC Contractor Says It Was Breached By Hackers

A contractor that provides HVAC (heating, ventilation, and air conditioning) services for Target Corp. said on Thursday that like Target, it too was a victim of a sophisticated cyber attack.

The attack against the contractor, Fazio Mechanical Services, supports earlier claims that it was the vendor attackers stole credentials from in order to breach the retail giant.

Target spokesperson Molly Snyder told SecurityWeek last month that an ongoing forensic investigation indicated that the intruder stole a vendor’s credentials, which were used to access Target’s system.

Ross Fazio, President and Owner of Fazio Mechanical Services, said in a statement that it does maintain a data connection with Target that was used exclusively for electronic billing, contract submission and project management.

The company did not say now many retail locations it maintains a data connection with.

Fazio said his firm does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target. He also said that Target is the only customer that it provides such management for on a remote basis, and that no other customers have been affected by the breach.

“Like Target, we are a victim of a sophisticated cyber attack operation,” Fazio said in a statement. “We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client/vendor connections making them less vulnerable to future breaches.”

Fazio Mechanical Services was first called out on Feb. 5 by Brian Krebs as the alleged third party vendor connected to the breach as a result of stolen credentials.

"The recent discovery that the credentials stolen in the Target breach were from an HVAC contractor shows how much we live in a connected world and how insider threats are the hardest to detect since outside attackers look just like employees when they are on the network,” Eric Chiu, president & co-founder of HyTrust, told SecurityWeek. “In this new 'Internet-of-Things' world, heating are connected to the same corporate networks that run other systems such as point-of-sale applications and customer databases. This concentration of systems, networks and data creates a treasure trove for attackers looking to steal information.”

“The trouble is that a lot of people implementing ‘smart devices’ do not recognize the security risks of placing them on a production network where they can access other sensitive data or systems,” Dwayne Melancon, chief technology officer for Tripwire, said. “This is yet another example of the need for security professionals to take a step back and look at the overall ecosystem of devices and how they are connected. Attackers will find and exploit the weakest link in an interconnected network every time.”

“One thing that isn't known about this attack: were the same credentials for the HVAC system used on other devices in the network? If so, that is what I would call a rookie mistake," Melancon said.

“All commercial HVAC systems are computer controlled today,” said Lamar Bailey, director of security research at Tripwire. “The temperature for most big, commercial buildings is set based on time of day and proximity sensors and requires computer access the controls. If there was something wrong with the HVAC settings in one of Target’s properties, they would probably call a contractor, and it’s entirely possible that a repairman with a laptop would need to log on to the network where the HVAC controls are located to troubleshoot the problem.”

“If Target had other network systems, especially the patch delivery server for the POS devices or the POS devices themselves, on the same segment of the network where the contractor logged in it would be relatively simple to infect the network with malware,” Bailey explained. “The contractor may not have known his laptop was compromised with malware, or he could have been one of the lynchpins in the attack. We’ve certainly seen enough movies where the plot hinges on a guy with a clipboard using a repairman ruse to get inside an organization. Based on what we know about this breach that scenario is completely plausible.”

Qualys researchers Billy Rios and Terry McCorkle say they have found 55,000 HVAC systems connected to the Internet, most with basic security vulnerabilities that put them at risk and provide links to numerous other unwitting corporate networks.

Target previously said that it has taken extra precautions such as limiting or updating access to some of its platforms while the investigation continues.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.